PT-2022-27364 · Unknown · Online Leave Management System
Realguoxiufeng
·
Published
2022-12-07
·
Updated
2025-04-23
·
CVE-2022-45009
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Online Leave Management System version 1.0
Description
The issue allows attackers to execute arbitrary code via a crafted PHP file, exploiting an arbitrary file upload vulnerability at the "/leave system/classes/SystemSettings.php?f=update settings" API endpoint.
Recommendations
For version 1.0, consider disabling the file upload functionality in the SystemSettings.php file until a patch is available to prevent exploitation. Restrict access to the /leave system/classes/SystemSettings.php?f=update settings endpoint to minimize the risk of arbitrary code execution.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Online Leave Management System